Team Messaging

X-Forwarded-User / X-Forwarded-Email

Zero-Day Shield

SSO + Zero-Day Protection for Mattermost

by Mattermost, Inc.

Add SAML/OIDC SSO to Mattermost via Authenticated Proxy — Protect Team Communications

Overview

Why Mattermost Needs an Authenticated Proxy

Mattermost is a self-hosted team messaging and collaboration platform used by organizations requiring data sovereignty, compliance, and security for internal communications. Mattermost channels contain sensitive business discussions, file attachments, integration webhooks, and bot configurations. A compromised Mattermost instance exposes all internal communications, shared files, and integration credentials. OnePAM adds enterprise SSO by placing an authenticated reverse proxy in front of Mattermost. Users authenticate through your corporate IdP, and OnePAM handles the identity verification. Only authenticated users can access team channels, files, and integrations.

HTTP Header Authentication

X-Forwarded-User / X-Forwarded-Email

Mattermost supports trusted proxy authentication via HTTP headers. OnePAM injects the authenticated user identity, and Mattermost creates or maps the user session based on the trusted header.

Zero-Day Risk Profile

Mattermost Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Mattermost has had SSRF and authentication bypass vulnerabilities

Internal communications contain sensitive business discussions and decisions

File attachments may include confidential documents and credentials

Integration webhooks and bot tokens provide access to external services

The Challenge

Security Challenges with Mattermost

These are the risks organizations face when Mattermost is not behind an authenticated proxy.

Communication Exposure

Mattermost channels contain confidential discussions, strategic plans, incident responses, and personnel matters.

File Attachment Risk

Shared files may include contracts, credentials, architecture documents, and other sensitive materials.

Integration Token Exposure

Webhook URLs, bot tokens, and integration configurations provide access to external services and APIs.

SSRF Vulnerability History

Mattermost has had SSRF vulnerabilities that allow attackers to reach internal services through the application.

Credential Sprawl

Self-hosted Mattermost has its own user management, creating another credential outside your IdP.

SSO Licensing Limits

Advanced SSO features (SAML, group sync) require Mattermost Professional or Enterprise licensing.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Mattermost

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Mattermost.

Deploy OnePAM as Mattermost's Proxy

Place OnePAM in front of the Mattermost server, intercepting all web and API traffic.

Mattermost is configured to accept connections only from OnePAM. Direct access to the Mattermost login page is blocked.

Configure Your IdP

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles the full authentication flow including MFA enforcement and group membership.

Enable Proxy Authentication

OnePAM injects the authenticated user identity via HTTP headers that Mattermost trusts.

Users authenticate via your IdP and land in Mattermost without a second login. User accounts are auto-created from the trusted identity.

Map Teams and Channels

IdP groups map to Mattermost teams and channel memberships for centralized access management.

Engineering joins #engineering, marketing joins #marketing, and leadership joins #executive — all managed from your IdP.

Audit Communications Access

Every Mattermost access is logged with corporate identity context.

OnePAM logs who accessed Mattermost, when, from where, and with what authentication method for compliance requirements.

Business Impact

Benefits of Securing Mattermost with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Mattermost.

Protect Internal Communications

Only authenticated users can access team channels, files, and integrations.

Zero unauthorized message access

SSO for Mattermost Free

OnePAM provides enterprise SSO for Mattermost Free edition — no Professional or Enterprise licensing needed.

Enterprise SSO at no extra cost

Shield from Mattermost CVEs

SSRF and auth bypass vulnerabilities are blocked at the proxy layer.

CVEs blocked at proxy

MFA for Team Messaging

Enforce your IdP's MFA for Mattermost access — stronger than Mattermost's built-in MFA.

Enterprise-grade MFA

Centralized Team Management

Manage Mattermost team and channel membership from your IdP.

IdP-driven team access

Instant Deprovisioning

Disable a user in your IdP and Mattermost access stops immediately.

Real-time access revocation

SSO Features

Mattermost SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Mattermost.

SAML 2.0 & OIDC SSO via proxy header authentication

IdP group to Mattermost team/channel mapping

Auto-provisioning users from IdP

Session recording for compliance

IP and geo-restriction for messaging access

Device trust verification

API and webhook access policies

Desktop and mobile app SSO support

Concurrent session controls

Multi-Mattermost instance SSO support

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Mattermost from exploitation.

Mattermost isolated from direct network access

End-to-end TLS encryption

Request-level identity verification

Protection against Mattermost SSRF vulnerabilities

Webhook and bot token access controls

Automatic session termination on IdP sign-out

Real-World Scenarios

Mattermost SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Mattermost.

Teams using self-hosted Mattermost with corporate SSO and MFA

Compliance-driven messaging access auditing for regulated industries

Contractors accessing specific channels with time-limited, audited sessions

Protecting Mattermost from SSRF and auth bypass exploitation

Centralized team membership management from corporate directory

Providing enterprise SSO without upgrading from Mattermost Free

Frequently Asked Questions

Mattermost SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Mattermost.

Does OnePAM work with Mattermost Free edition?

Yes. OnePAM provides enterprise SSO at the proxy layer, working with all Mattermost editions including Free, Professional, and Enterprise.

Can Mattermost desktop and mobile apps work with OnePAM?

Yes. Mattermost desktop and mobile apps can authenticate through OnePAM's SSO flow for the initial login, then use session tokens for ongoing access.

Does OnePAM affect Mattermost webhooks and bots?

OnePAM supports path-based policies. Incoming webhook endpoints can be configured with different authentication requirements than the main Mattermost interface.

Can we auto-join users to channels based on IdP groups?

OnePAM passes IdP group memberships via HTTP headers. Mattermost can map these to team memberships, and channel auto-join can be configured based on team membership.

What about Mattermost's built-in SAML support?

OnePAM provides a simpler alternative that also adds zero-day protection and session recording. It works with Mattermost Free where built-in SAML is not available.

Ready to Secure Mattermost with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Mattermost code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps